How can real estate organizations get ahead of cyber risk?
1. Identify critical assets early and often. Mitigating cyber risk effectively begins by understanding where and how you are exposed. Real estate organizations need updated inventories of which assets are critical. And they need to refresh those lists regularly as projects evolve, buildings open and new technology comes into play. Include any asset that is critical to the function of the space itself. This framework then becomes your guide to strengthening priority areas against potential cyber hacks.
2. Align assets and operations in a seamlessly integrated plan. Join up critical asset maps with insight into who owns those respective areas. Be sure to highlight the links between operational and IT tools and teams so everyone understands who is responsible for what, where, when and how. This insight empowers the entire organization to maintain a proactive cybersecurity approach, as well as crisis plans that can be enacted quickly to resolve issues as they arise.
3. Weave cybersecurity into enterprise risk management. In the past, operations teams determined what was important from the risk perspective. But cybersecurity can’t live in a silo. Technology — and the threats it brings — are changing too quickly for that to work. Instead, weave cybersecurity into the organization’s broader enterprise risk management system and processes. It must live there in the framework to ensure everyone understands what’s happening and can mitigate vulnerabilities accordingly. This is how you start to embed shared responsibility for cybersecurity in the fabric of the organization and its physical assets to embrace a true security-by-design approach.
4. Set clear controls. Regulatory changes are an important trigger for updating controls. Still, real estate organizations must maintain an ongoing focus on controls, even when nothing new is happening from a regulatory standpoint. Build in processes to gut check which controls are working, and which ones may need additional tweaks, on a regular basis.
5. Double down on due diligence. Cyber risks extend well beyond third parties to fourth and even fifth parties. The more you know about that value chain, the better prepared your organization will be to stop risks as they emerge. Real estate companies need to expand due diligence processes in light of emerging cyber risks. Obligations should be translated out across all contractors and subcontractors. Checks should be carried out on a continuing basis. That brings the need for greater interaction between HR and IT procurement systems. Look into this now. The greatest threat you have is always the one you never knew existed.